TLS gives you *authentication*. It proves that the bearer owns the
DN specified in the certificate. There is no list of "approved
clients" associated with that authentication check.
The consumer (here, the LDAP server) must then do an *authorization*
check, determining whether that DN is allowed to access a particular
resource or perform a particular action. This authorization check
might involve ACLs, or lists of approved clients, or similar
structures.
--
Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris